EquiTF

she hadn't actually worked up the ranks (ie, didn't have experience at the coal-face) and seemed to come to Equifax from the back of another well known major name cocking things up.

The only reference I've seen to this was in the article here, where Remy said: "She’s spent her entire career in “executive” roles, and while she was a CSO before going to Equifax, that was at First Data. Funny thing about First Data: up until 2013 (about when she left), it was in a death spiral that was fixed after some serious house-cleaning and restructuring- like clearing out dead-weight in their C-level." All I can say about that is it's complete supposition on his part. How would anyone blame the CSO for the kind of to-level business failures that First Data was supposed to have had? The article doesn't talk about that at all.

Of course, I cannot now find that article, so it may be complete bollocks and got pulled!

If you find the article, please post it. However, her previously documented experience has 3 confirmed Security and Audit positions out of the 4 that were listed on her LinkedIn page: HP from 2002-2007, First Data from 2009-2013, and Equifax from 2013-present. The only one that's not confirmed in the Sun Trust one, from 2007-2009. And 2002 is just when the list started. I have no idea how old she was or when she graduated from college, so she might have earlier IT experience that she simply didn't bother listing on LinkedIn.

Seriously? My handle is "CurrentEfxEmployee", for goodness sake. Of course I'm biased. But I'm biased because I know just how much that's being bandied about is pure BS. You want to hate Equifax? Be my guest. You want to hate the whole CRA industry? Get in line. You want to make changes? Then you better actually understand WTF you're talking about.

At worst, you're being paid to defend your morally bankrupt and soon to be fiscally bankrupt company.

You guys need to make it less obvious. At the very least, you're extremely biased. At worst, you're being paid to defend your morally bankrupt and soon to be fiscally bankrupt company.

To be fair, he doesn't seem to be defending Equifax, he seems to be defending this CISO at the expense of Equifax. I agree with your view of that firm, and the CRA industry, it needs much more accountability for so much that it currently gets away with, hopefully keeping the pressure on will bring about some change ... as it stands, the public are mostly in the dark about the industry functions and even why it exists. Equifax dying over this would be a good thing as a wake up call to others, it's tempting, but not nice, to wish for that as plenty of blameless people would suffer as a result.

The problem with the whole argument we seem to be having here is that this person was a very senior exec, with experience of being a senior exec (apparently). She's ultimately responsible, 2nd in line to the CEO, for this fiasco. If it is true (and I've not seen evidence) that she was battling for, and not getting, the right approach/resources then that's her failing. She's there to do that, it's her job. It's not like tech person (say a programmer, as most of us seem to be here) getting half the resources and stupid requirements, our job is try and work with that, we can moan about it (and we all do), but we work with what we are given and responsibility for the fcuk-up supposedly rests higher up the chain.

She's got responsibilities to deliver, amongst other things, compliance and protection. There's flexibility over bright shiny things and new stuff etc, but not on regulatory or security stuff. If the board were hearing her say her department couldn't deliver and they didn't want to follow her recommendations they should have replaced her, that's how it works at that level. If they told her to suck it up and JFDI, she should have quit, that would have been the right way to do it.

Two people who worked with Mauldin at Equifax say she seemed to be putting the right programs in place, or trying to. “Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security." Mauldin couldn’t be reached for comment.

What I'm defending is the facts. There's plenty of blame to go around...but we need to be objective about where to lay that blame. Perhaps Susan Mauldin was a bad CISO...maybe she was a good one. But claiming she was unqualified is completely false. She had decades of qualifications in working in security and audit roles. Maybe she should have quit if she wasn't getting the executive support she wanted...maybe she was trying to make a difference and didn't want to abandon ship yet.

I just read the prepared testimony of Rick Smith, and it lays out more details on the hack. Equifax knew about the vulnerability, and thought they had done the necessary scans, patches, and updates to apply fixes and make sure they were in place. But, as anyone who works with modern Java knows, you just need to miss one dependency somewhere to be vulnerable, and they did. One pom.xml files gets reverted, one 3rd party component loads an older version of Struts, one deployment gets rolled back, and you're now back to being insecure.

Beyond that, from the Bloomberg article, the hack was very sophisticated and the attackers went to great lengths to conceal their presence. The key thing that all readers of The Daily WTF should be thinking is that none of us are safe. You can think you've got all the right procedures in place, and have all the right tools, and then still get pwned.

It was certainly a fairly sophisticated hack, but that is something we all need to be prepared for. Their procedures were inadequate, no two ways about it.

I take your point, and agree entirely with your last paragraph, but the fact remains she had (as far we know) no formal qualification whatsoever. She had experience, we don't know exactly how relevant that was. Based on the paucity of information, and the effort to cover it up, and the cack-handed post-breach incident handling I think people are correct to judge. There's too much reward for failure at board level, especially in these types of business.

but the fact remains she had (as far we know) no formal qualification whatsoever. She had experience, we don't know exactly how relevant that was.

That's just a ludicrous statement. I have a CS degree, but I did all of my work on a PDP11/44. Does that mean I have no formal qualifications to program on anything else? I didn't learn Java in college (it didn't exist then), so does that mean I can't be qualified to learn Java and be a programmer?

You're correct, we just don't know about the totality of her work experience and her education. So continuing to make these claims is pure mean-spirited supposition. If you don't have the facts, then you should stop making these claims. All we know for sure is the 15 years of IT roles, the majority of which were Security and Audit related jobs. We don't know if that page was complete, nor any other professional qualifications she might have achieved. But continuing to claim that Equifax hired a completely unqualified CISO is completely unsubstantiated.

It doesn't amuse me at all. With limitless freedom comes responsibility, and I think it's sad that there are so many examples of American companies and individuals who somehow seem unable to handle it. Wish I could say something more optimistic for all you guys who maintain their integrity, quietly in the background. :-(

The fact remains, demonstrable incompetence, and no evidence of qualification for the position, some experience, previous success not verified. It is you making claims. The evidence is the wrong way around in your statement ... there is no evidence Equifax hired a qualified CISO. It's up to them to prove they did.

How is it someone at that level never picked up a correspondence Masters, a Sec + or a CISSP or anything relevant in the CyberSec sector? I don't hammer those things in as prerequisites if someone can demonstrate a track record of success and ability, but I'd expect them to get something at some point and maintain the certificates (in that sector). SO assuming she really is above all that why the effort to scrub her identity?

She had experience, probably, not qualifications, what of that don't you get? Yes technology changes, but you, and I have qualified in something relevant and then either maintained our skills (with or without doing courses/exams) or been intellectually lazy and not bothered. She has not done it that way, coming into an industry from elsewhere, late, by unorthodox means? I'm all for that. Something like CyberSec, you really must go and get some education at some point afterwards or this sort of thing will happen. It's not like other sectors (especially not like code hacking), you can't just wing it on leadership skills and instinct alone.

She's not required to provide her qualifications to anyone except her employers, which she did to their satisfaction. Unless you're claiming she lied about her background when she got the job?

How is it someone at that level never picked up a correspondence Masters, a Sec + or a CISSP or anything relevant in the CyberSec sector?

Who's to say she didn't? Just because she didn't put them on her LinkedIn page? You just don't know what her qualifications were, but keep making declarations as if you do.

She had experience, probably, not qualifications, what of that don't you get?

Again you don't know. You haven't seen her qualifications beyond her minimalistic LinkedIn page...but they were enough to convince two financial companies to hire her for the top security role.

She has not done it that way, coming into an industry from elsewhere, late, by unorthodox means?

What constitutes "late"? Do you know if she ever worked in any music-related jobs? Are you sure she didn't minor in Information Security in college? You keep making these "points" but your points are all pure guesswork and supposition on your part. Can you provide even one shred of evidence for these claims you keep making?

She was CISO, they leaked millions of records of critical personal data, from a firm that is supposed to specialise in this stuff, and then made a total fuck up of the aftermath. She deserves a criminal conviction, along with that CEO.

Do own up to your interest in this ... if you once met her and she gave you the horn, all is forgiven.

If you want to inexplicably just keep making things up, feel free, I'll just continue to call you out on it. What's your interest in this blatant, unsubstantiated character assassination? The facts as reported don't support your wild theories, so it's puzzling why you keep repeating the same baseless claims over and over.

Do own up to your interest in this ... if you once met her and she gave you the horn, all is forgiven.

In spite of actually working for Equifax, I never met any of the executives that have been in the news (CEO, CISO, CTO, the executives that sold stock, etc.), so your vulgar allegation is, in addition to being deliberately offensive, completely untrue.

She was CISO, they leaked millions of records of critical personal data, from a firm that is supposed to specialise in this stuff, and then made a total fuck up of the aftermath.

No one disputes the hack or the result. I'm only pointing out that your claims about her qualifications are completely without merit. You are simply making things up and claiming them to be true. What possible motive could you have for this blatant ignoring of the facts?